Date post: | 05-Apr-2018 |
Category: |
Documents |
Upload: | howell-perez |
View: | 217 times |
Download: | 0 times |
of 77
8/2/2019 1584431_Global Internal Survey Report v Web Version
1/77
THE IIAS GLOBAL INTERNAL AUDIT SURVEY
Imperatives forChange:The IIAs Global InternalAudit Survey in Action
8/2/2019 1584431_Global Internal Survey Report v Web Version
2/77
8/2/2019 1584431_Global Internal Survey Report v Web Version
3/77
The IIAs Global Internal Audit Survey:
A Component of the CBOK Study
Imperatives for Change:The IIAs Global Internal Audit Survey in Action
Report V
Richard J. Anderson, CPA, CFSA
J. Christopher Svare
8/2/2019 1584431_Global Internal Survey Report v Web Version
4/77
Disclosure
Copyright 2011 by The Institute of Internal Auditors Research Foundation (IIARF), 247 Maitland
Avenue, Altamonte Springs, Florida 32701-4201. All rights reserved. No part of this publication may
be reproduced, stored in a retrieval system, or transmitted in any form by any means electronic,
mechanical, photocopying, recording, or otherwise without prior written permission of the publisher.
The IIARF publishes this document for informational and educational purposes. This document is
intended to provide information, but is not a substitute for legal or accounting advice. The IIARF
does not provide such advice and makes no warranty as to any legal or accounting results through its
publication of this document. When legal or accounting issues arise, professional assistance should be
sought and retained.
The Institute of Internal Auditors (IIAs) International Professional Practices Framework (IPPF)
comprises the full range of existing and developing practice guidance for the profession. The IPPF
provides guidance to internal auditors globally and paves the way to world-class internal auditing.
The mission of The IIARF is to expand knowledge and understanding of internal auditing by providing
relevant research and educational products to advance the profession globally.
The IIA and The IIARF work in partnership with researchers from around the globe who conduct
valuable studies on critical issues affecting todays business world. Much of the content presented in
their nal reports is a result of IIARF-funded research and prepared as a service to The Foundation
and the internal audit profession. Expressed opinions, interpretations, or points of view represent a
consensus of the researchers and do not necessarily reect or represent the ofcial position or policies
of The IIA or The IIARF.
ISBN 978-0-89413-700-6
2/11
First Printing
ii A Component of the CBOK Study
8/2/2019 1584431_Global Internal Survey Report v Web Version
5/77
Dedication
William G. Bishop III, CIA, served as president of The Institute of Internal Auditors from September
1992 until his untimely death in March 2004. With a motto of Im proud to be an internal auditor,
he strived to make internal auditing a truly global profession. Bill Bishop advocated quality research for
the enhancement of the stature and practice of internal auditing. To help enhance the future of this
profession, it is vital for the profession to document the evolution of the profession worldwide.
iiiA Component of the CBOK Study
8/2/2019 1584431_Global Internal Survey Report v Web Version
6/77
8/2/2019 1584431_Global Internal Survey Report v Web Version
7/77
Table of Contents
Acknowledgments............................................................................................................................. vii
About the Authors ............................................................................................................................. ix
Foreword .............................................................................................................................................. xi
Introduction .........................................................................................................................................1
Imperative 1 Sharpen Your Focus on Risk Management and Governance ......................................3
Imperative 2 Conduct a More Responsive and Flexible Risk-based Audit Plan .............................9
Imperative 3 Develop a Strategic Vision for Internal Auditing......................................................13
Imperative 4 Focus, Monitor, and Report on Internal Auditings Value ........................................17
Imperative 5 Strengthen Audit Committee Communications and Relationships .........................21
Imperative 6 View Compliance with The IIAs International Standards for theProfessional Practice of Internal Auditing as Mandatory, Not Optional .....................25
Imperative 7 Acquire and Develop Top Talent .............................................................................29
Imperative 8 Enhance Training for Internal Audit Activities ........................................................33
Imperative 9 Take Advantage of Expanding Service Provider Membership ..................................37
Imperative 10 Step Up Your Use of Audit Technology and Tools ....................................................39
Appendix: Template for Audit Committee Discussions ............................................................43
The IIAs Global Internal Audit Survey Questions ................................................................47
The IIAs Global Internal Audit Survey Glossary .................................................................53
The IIA Research Foundation Sponsor Recognition .................................................................57
The IIA Research Foundation Board of Trustees.......................................................................59
The IIA Research Foundation Committee of Research and Education Advisors................60
vA Component of the CBOK Study
8/2/2019 1584431_Global Internal Survey Report v Web Version
8/77
8/2/2019 1584431_Global Internal Survey Report v Web Version
9/77
Acknowledgments
The 21st century presents unprecedented growth opportunities for the internal audit profession.
Advances in technology, the conuence of the Information and the Internet Age, and the sheer speed
and expansion of communications capabilities have signicantly accelerated the pace of globalization.
Governance, risk, controls, and compliance processes within organizations have undergone signicant
change to manage the increasing complexity and sophistication of global business operations. All
of these developments offer a huge opportunity for internal audit functions, whether in-sourced,
co-sourced, or outsourced, including the potential to add even greater value to their respective
organizations.
To ensure that a body of knowledge is systematically built up, developments in practice in a dynamically
changing environment must be carefully monitored and continually analyzed to reveal critically
important insights. Key lessons learned from the experience of the profession must constitute part of
the historical record and be transmitted to current and future generations of internal audit professionals
for optimal outcomes. Not only must we strive to secure a robust portrayal of the current state of theprofession, but encourage practice-relevant research to inform and push the boundaries of practice.
We are fortunate that under the auspices of the William G. Bishop III, CIA, Memorial Fund,
administered by The IIA Research Foundation, it is possible to undertake large-scale studies of the global
internal audit profession. We sincerely appreciate Mary Bishops passion and commitment to further the
internal audit profession while honoring Bill Bishops legacy. The inaugural Common Body of Knowledge
(CBOK) survey under William Taylors leadership occurred in 2006; this is the second iteration. Based on
the responses from The IIAs Global Internal Audit Survey from 2006 and now in 2010, it is possible to
compare results and perform high-level trending.
Five reports cover the full spectrum of a wide range of the survey questions (carefully designed to
allow for comparison between the 2006 and 2010 survey data). These reports cover topical content
from characteristics of an internal audit activity to implications for charting the future trajectory of the
profession. The cooperation and sharing among the ve report-writing teams representing the Americas,
Asia, Europe, and the Middle East have made this project a truly global and collaborative effort.
We hope that this collection of reports describing the expected inuence of major themes about, and
developments in, the profession as extracted from the survey will provide a comprehensive snapshot of
the profession globally, offer helpful insights and actionable intelligence, and point the way forward to
maintaining the professions continued relevance and value-added contributions.
For a large global project such as The IIAs Global Internal Audit Survey, the list of individuals to thank is
quite extensive. First of all, our special thanks go to IIA Research Foundation Trustee Marjorie Maguire-
Krupp who was involved at the inception of the CBOK study in the fall of 2008, and soon thereafter,
retired former IIA President David Richards who, along with Michelle Scott, provided the initial
leadership to this signicant project.
viiA Component of the CBOK Study
8/2/2019 1584431_Global Internal Survey Report v Web Version
10/77
In addition, we must acknowledge William Taylor and Leen Paape, both advisors to the CBOK 2010
study co-chairs, and the following international members of the CBOK 2010 Steering Committee,
as well as the Survey Design Subcommittee and the Deliverables Oversight Subcommittee, for
their guidance and signicant contributions to the survey design, administration, data collection,
interpretation, and topic-specic reports: Abdullah Al-Rowais, AbdulQader Ali, Audley Bell, Sezer
Bozkus, John Brackett, Ellen Brataas, Edouard Bucaille, Adil Buhariwalla, Jean Coroller, David Curry,Todd Davies, Joyce Drummond-Hill, Claudelle von Eck , Bob Foster, Michael Head, Eric Hespenheide,
Greg Hill, Steve Jameson, Batrice Ki-Zerbo, Eric Lavoie, Luc Lavoie, Marjorie Maguire-Krupp, John
McLaughlin, Fernando Mills, Michael Parkinson, Jeff Perkins, Carolyn Saint, Sakiko Sakai, Patricia
Scipio, Paul Sobel, Muriel Uzan, R. Venkataraman, Dominique Vincenti, and Linda Yanta.
Several members of these committees must be particularly thanked for their extended participation
in what became a prolonged, three-year commitment for this large-scale undertaking. Each of these
individuals contributed their leadership, wealth of knowledge and experience, time, and effort to the
CBOK study and deserves our deepest gratitude.
Professor Mohammad Abdolmohammadi of Bentley University was key to the 2010 data analysis and
preparation of summary tables of the survey responses, as he was for the CBOK study in 2006. Professor
Sandra Shelton of DePaul University must be recognized for giving the reports a smooth ow and an
overall consistency in style and substance.
The survey could not have succeeded without the unstinted and staunch support of the survey project
champions at The IIA institutes worldwide. At The IIAs global headquarters in Altamonte Springs,
Florida, United States, many staff members, especially Bonnie Ulmer and Selma Kuurstra, worked
tirelessly and provided indispensable support and knowledge. Bonnie Ulmer, IIARF vice president,
David Polansky, IIARF executive director, and Richard Chambers, IIA president and CEO (who
simultaneously served as executive director for most of the project), provided the necessary direction forthe successful completion of the project.
Last but not least, The IIAs 2010 CBOK study component The Global Internal Audit Survey and
the resulting ve reports owe their contents to thousands of IIA members and nonmembers all over the
world who took the time to participate in the survey. In a sense, these reports are a tting tribute to the
contributions made by internal audit professionals around the globe.
CBOK 2010 Steering Committee Co-chairs
Dr. Sridhar Ramamoorti, CIA, CFSA, CGAP
Associate Professor of Accountancy
Michael J. Coles College of Business
Kennesaw State University
Susan Ulrey, CIA, FCA, CFE
Managing Director, Risk Advisory Services
KPMG LLP
Imperatives for Change: The IIAs Global Internal Audit Survey in Action
viii A Component of the CBOK Study
8/2/2019 1584431_Global Internal Survey Report v Web Version
11/77
About the Authors
Richard J. Anderson, CPA, CFSA, has a diverse background in the nancial and professional services
industries. He is a retired PricewaterhouseCoopers LLP partner, where he served as a managing partner
in the Internal Audit Services practice. Before joining PricewaterhouseCoopers, Anderson headed two
internal audit functions, including serving as global head of internal audit and credit review for a major
U.S. bank. He writes and lectures on risk management and internal audit topics at DePaul University
in Chicago, Illinois (United States). His articles have appeared in numerous publications, including
Internal Auditor, Financial Executive, Journal of Business Strategy, Internal Auditing, Directors Monthly,
and theJournal of Accountancy. He is also a member of The IIA Research Foundations Board of
Trustees.
J. Christopher Svare specializes in the development of clear, concise communications intended to
inform and persuade key stakeholders and target publics. Since launching Partners in Communication
in 1992, Svare has worked with more than 100 organizations, including a broad scope of industry
leaders in professional services and consulting. From 2000 to 2008, he partnered with Richard J.Anderson, Richard F. Chambers, and other subject-matter experts from PricewaterhouseCoopers LLP
on a wide range of thought leadership that included Internal Audit 2012, a major study examining
the future of internal auditing, as well as an annual series of State of the Internal Audit Profession
reports. He and Anderson also developed 10 Risk Management Imperatives for Internal Auditing and
Navigating Competing Internal Audit Priorities for The IIAs Audit Executive Center.
ixA Component of the CBOK Study
8/2/2019 1584431_Global Internal Survey Report v Web Version
12/77
8/2/2019 1584431_Global Internal Survey Report v Web Version
13/77
Foreword
The IIAs Global Internal Audit Survey: A Component of the CBOK Study
The 2010 IIA Global Internal Audit Survey is the most comprehensive study ever to capture the current
perspectives and opinions from a large cross-section of practicing internal auditors, internal auditservice providers, and academics about the nature and scope of assurance and consulting activities on
the professions status worldwide. This initiative is part of an ongoing global research program funded
by The Institute of Internal Auditors Research Foundation (IIARF) through the William G. Bishop III,
CIA, Memorial Fund to broaden the understanding of how internal auditing is practiced throughout the
world.
A comprehensive database was developed, including more than 13,500 useable responses from
respondents in more than 107 countries. The ve reports derived from analysis of the survey responses
provide useful information to internal audit practitioners, chief audit executives (CAEs), academics,
and others to enhance the decision-making process involving stafng, training, career development,
compliance with The IIAs International Standards for the Professional Practice of Internal Auditing
(Standards), competencies, and the emerging roles of the internal audit activity.
Characteristics of an Internal Audit Activity (Report I)examines the characteristics of the internalaudit activity, including demographics, stafng levels, and reporting relationships.
Core Competencies for Todays Internal Auditor (Report II)identies and discusses the mostimportant competencies for internal auditors. It also addresses the adequacy, use, and
compliance with The IIAs Standards.
Measuring Internal Auditings Value (Report III)focuses on measuring the value of internal auditingto the organization.
Whats Next for Internal Auditing? (Report IV)provides forward-looking insight identifying perceivedchanges in the roles of the internal audit activity over the next ve years.
Imperatives for Change: The IIAs Global Internal Audit Survey in Action (Report V)contains conclusions,observations, and recommendations for the internal audit activity to anticipate and match
organizations fast-changing needs to strategically position the profession for the long term.
The 2010 survey builds upon the baseline established in prior Common Body of Knowledge (CBOK)
studies (i.e., 2006), allowing for comparison, analysis, and trends as well as a baseline for comparisonwhen The IIAs Global Internal Audit Survey is repeated in the future.
PRIOR IIA CBOK Studies
The IIA has sponsored ve prior CBOK studies. The table on the following page compares the number
of participating countries and usable questionnaire responses used in each CBOK study. While CBOK
studies I through IV were offered only in English, the 2006 and 2010 surveys were available in 17 and
22 languages, respectively.
xiA Component of the CBOK Study
8/2/2019 1584431_Global Internal Survey Report v Web Version
14/77
CBOKs Number of Respondents and Countries Over the Years
CBOK
Number Year
Number of
Countries
Number of Usable
Responses
I 1972 1 75
II 1985 2 340
III 1991 2 1,163
IV 1999 21 136
V 2006 91 9,366
VI 2010 107 13,582
The 2010 IIA Global Internal Audit Survey Benets to the Profession
Maximizing the internal audit function is imperative to meet the challenges of todays businessenvironment. Globalization and the rapid pace of change have in many ways altered the critical skill
framework necessary for success at various levels of the internal audit function. Internal auditings value
will be measured by its ability to drive positive change and improvement. It is imperative for internal
auditing to examine current trends within the profession and thus be able to make recommendations for
changes within the internal audit activity. This should help internal auditing to:
Deliver the greatest value to its organization. Anticipate and meet organizations needs. Strategically position the profession for the long term.
Research Teams
The following researchers, selected from the responses to the Request for Proposal, were involved
in writing the reports and worked closely with Mohammad J. Abdolmohammadi (Bentley University,
United States) who provided general data analysis from the 2006 and 2010 survey databases as well as
additional analysis based on researchers request.
Report I
Yass Alkafaji, Munir A. Majdalawieh, Ashraf Khallaf (American University of Sharjah, United Arab
Emirates) and Shakir Hussain (University of Birmingham, United Kingdom).
Report II
James A. Bailey (Utah Valley University, United States).
Report III
Jiin-Feng Chen and Wan-Ying Lin (National Chengchi University, Taiwan, Republic of China).
Imperatives for Change: The IIAs Global Internal Audit Survey in Action
xii A Component of the CBOK Study
8/2/2019 1584431_Global Internal Survey Report v Web Version
15/77
Report IV
Georges M. Selim and Robert Melville (Cass Business School, United Kingdom), Gerrit Sarens
(Universit Catholique de Louvain, Belgium), and Marco Allegrini and Giuseppe DOnza (University of
Pisa, Italy).
Report V
Richard J. Anderson (De Paul University, United States) and J. Christopher Svare (Partners in
Communication, United States).
xiiiA Component of the CBOK Study
Foreword
8/2/2019 1584431_Global Internal Survey Report v Web Version
16/77
8/2/2019 1584431_Global Internal Survey Report v Web Version
17/77
Introduction
The 10 Imperatives for Change, written primarily for chief audit executives (CAEs), represent the fth
in a series of ve reports being published by The Institute of Internal Auditors Research Foundation
(IIARF) to highlight the ndings of The IIAs 2010 Global Internal Audit Survey. This report, which
builds off of the detailed ndings found in the rst four reports, presents a series of overarching topics
under the heading Imperatives for the internal audit profession. Each imperative is accompanied by
recommended action steps for CAE consideration. CAEs are encouraged to think about how these 10
imperatives and recommended action steps apply to their particular activities, recognizing that levels of
maturity and sophistication vary signicantly among internal audit activities around the world depending
on size, location, culture, and other key factors.
Emphasize Risk Management and Governance
At a time when risk management is viewed as a top concern by directors, senior management, and
regulators alike, internal auditors need to move beyond their traditional focus on internal controls andassurance and show they can adapt more readily to a fast-changing economic environment. As the 10
imperatives collectively suggest, internal auditors need to sharpen their focus on risk management and
governance processes, which are projected to become the cornerstones of the internal audit profession,
and conduct a more responsive and exible risk-based audit plan.
Address Key Stakeholder Priorities
CAEs also need to focus on a host of top stakeholder priorities from developing a strategic vision for
internal auditing to focusing on how internal auditing is creating value. They need to do all they can
to strengthen audit committee communications and relationships. And they need to view compliancewith The IIAs International Standards for the Professional Practice of Internal Auditing (Standards) as
mandatory, not optional.
Optimize Internal Audit Resources
Although accounting and auditing will continue to remain core skills within the profession, internal
auditors will need to nd broader skills and competencies, both internally and externally, to address
emerging issues and changing stakeholder expectations more effectively. To achieve high degrees of
success, CAEs will need to acquire and develop top talent, enhance training for members of their
internal audit activities, and take advantage of the expanding ranks of service providers, who now
comprise a quarter of the respondents to The IIAs 2010 Global Internal Audit Survey.
Leverage Technology Effectively
To operate in todays increasingly complex world of technology and to audit more efciently and
effectively, internal audit activities will need to enhance their use of automated technology and tools. To
do so, internal auditors will need to step up their use of audit technology and automated tools, acquire
or develop new skills and expertise, and revamp traditional testing and documentation processes.
1A Component of the CBOK Study
8/2/2019 1584431_Global Internal Survey Report v Web Version
18/77
These new technologies also offer benets in related processes such as risk assessment and continuous
monitoring.
The 10 Imperatives for Change
Group I: Emphasize Risk Management and Governance
1. Sharpen Your Focus on Risk Management and Governance
2. Conduct a More Responsive and Flexible Risk-based Audit Plan
Group II: Address Key Stakeholder Priorities
3. Develop a Strategic Vision for Internal Auditing
4. Focus, Monitor, and Report on Internal Auditings Value
5. Strengthen Audit Committee Communications and Relationships
6. View Compliance with The IIAs International Standards for the Professional Practice of
Internal Auditing as Mandatory, Not Optional
Group III: Optimize Internal Audit Resources
7. Acquire and Develop Top Talent
8. Enhance Training for Internal Audit Activities
9. Take Advantage of Expanding Service Provider Membership
Group IV: Leverage Technology Effectively
10. Step up Your Use of Audit Technology and Tools
Appendix
Template for Audit Committee Discussions
Imperatives for Change: The IIAs Global Internal Audit Survey in Action
2 A Component of the CBOK Study
8/2/2019 1584431_Global Internal Survey Report v Web Version
19/77
Imperative 1Sharpen Your Focus on Risk Management andGovernance
Over the next ve years, internal audit activities will need to broaden the scope of their internal audit
coverage and resourcing beyond control processes (their traditional area of focus and expertise) to include
risk management and governance processes. In doing so, they will need to develop and expand their
coverage of corporate governance and enterprise risk management (ERM) as well as risks and processes
related to corporate strategy and performance, ethics, and social and sustainability audit issues.
A number of converging factors are driving the heightened focus on risk management and governance:
The scope, frequency, and complexity of major risk events are increasing, oftencreating the need for individual organizations to respond accordingly (see sidebar: Risk
Connections Raise Global Concerns on page 5). A recent joint survey by the AmericanInstitute of Certied Public Accountants (AICPA) and the UK-based Chartered Institute of
Management Accountants noted that respondents overwhelmingly perceive the volume and
complexity of risks to be notably greater than ve years ago.
Internal audit activities have stepped up their coverage of credit, market, andliquidity risks as well as their investigations of fraud and other nancial irregularities in
response to serious control breakdowns in the nancial services sector that contributed to
the global economic recession.
Audit committees and boards of directors are rethinking risk oversight, recognizingthe potential threat of strategic risks and governance concerns to organizational viability.They are also increasingly requesting assistance from internal auditing in these areas.
The IIAs International Standards for the Professional Practice of InternalAuditing (Standards) now requires internal auditors to evaluate governance and risk
management capabilities in addition to control functions.
Survey Results Support New Focus
Given the collective impact of such factors, it is no wonder that key internal audit stakeholders believe
their internal audit activities should increase their focus on risk management and governance. To this
point, 94.1 percent of the respondents to The IIAs recently completed stakeholder expectations survey,1
1 The Stakeholders Expectations and Perceptions Survey, which focuses on the value of internal auditing from the
perspective of key internal audit stakeholders, was undertaken as a component of the 2010 CBOK survey. A pilot
effort limited to the United States, this project represents the rst time that The IIA has gathered data directly
from the key stakeholders of internal auditing. A report on the study, which includes a survey as well as personal
interviews, will be released in the rst quarter of 2011 as well. The survey portion of the study, although limited in
scope, does provide a number of ndings relevant to topics covered in The IIAs Global Internal Audit Survey.
3A Component of the CBOK Study
8/2/2019 1584431_Global Internal Survey Report v Web Version
20/77
conducted in late 2010, either agree or strongly agree that it is important for internal audit activities
to focus on ERM. Moreover, 89.2 percent of respondents favor a similar focus on corporate governance.
This change in focus is also clearly reected by the results of The IIAs 2010 Global Internal
Audit Survey. For starters, nearly 80 percent of survey respondents foresee an increase in their risk
management activities. In addition, when asked to predict several areas where internal auditors wouldbe spending more of their professional time over the next ve years, 23 percent of respondents projected
corporate governance reviews, 20.4 percent selected audits of ERM processes, 19.9 percent chose
reviews addressing the linkage between strategy and company performance, 19.3 percent projected
ethics audits, 18.8 percent selected migration to International Financial Reporting Standards (IFRS),
and 18.6 percent chose social and sustainability audits.
Projections of Internal Audit Focus over the Next Five Years
(respondents could select multiple answers)
Internal Audit Activity Percentage Rank
Corporate governance reviews 23.0% 1
Audits o ERM processes 20.4% 2
Reviews addressing linkage o strategy and company perormance(e.g., balanced scorecard)
19.9% 3
Ethics audits 19.3% 4
Migration to IFRS 18.8% 5
Social and sustainability audits 18.6% 6
It is also clear that 2010 Global Internal Audit Survey respondents believe that they must rst create
awareness of the importance of risk management and governance through training and education to
get organizational support for their enhanced risk management and governance initiatives. In time,
practitioners expect that activities focused on risk management and governance processes will become
the most important cornerstones of their profession, if they have not already done so.
Consider the Impact of Changing Focus on Staff Size, Mix, and Structure
The shifting emphasis and potential expansion of audit coverage will require new skills and expertise for
internal audit activities as well as potentially larger staff sizes to facilitate the desired shift in focus. (See
Imperative 7 below for further discussions on acquiring talent and skills.) Survey results demonstrate
a strong correlation between plans to increase staff size and to make risk management and governance
a higher priority. Respondents who expect the size of their internal audit activities to increase over the
next ve years also expect to see a corresponding increase in their risk management and governance
activities.
Imperatives for Change: The IIAs Global Internal Audit Survey in Action
4 A Component of the CBOK Study
8/2/2019 1584431_Global Internal Survey Report v Web Version
21/77
A more intense focus on risk management and governance will also affect the types of capabilities
needed within the internal audit activity and a rebalancing of staff time devoted to other internal audit
priorities. Ideally, CAEs will achieve strong
synergies between their governance and internal
control activities and minimize the potential
downsides associated with reduced efforts in sometraditional areas due to the increased focus on
corporate governance reviews and audits of ERM
processes. In addition, internal auditings projected
increase in the use of technology and tools (as
described later in Imperative 10) also can enhance
the efciency and effectiveness of more traditional
areas of audit testing.
Survey results also suggest the need for CAEs
to educate their staffs on the importance of
an expanded focus on risk management and
governance. A signicantly higher percentage
of CAEs projected an increase in their risk
management activities than did other staff
members; the same was true for governance. The
key message for CAEs: If the day-to-day focus
of your staff has been on nancial processes,
regulatory compliance, and operational auditing,
members of your staff may not appreciate the need
for internal auditing to place a higher priority on
risk management and governance. In such cases,
take steps to raise staff awareness of this need.
Finally, keep in mind the fact that internal audit
groups in Western Europe, North America, and
Australia will because of the relative maturity of
their internal audit activities likely lead the shift
from a controls focus to one placing greater priority
on risk management and governance issues.
Imperative 1 Key Action Steps for CAEs
Assess the maturity of your organizations risk management and governance processes andcurrent internal audit coverage of these areas:
{ Help your organization develop plans to enhance these activities and move to a higherdesired state of maturity for these processes.
Risk Connections Raise Global Concerns
According to Global Risks 2010, a World
Economic Forum report, the increasing levels o
interconnection among risks point to the need
or a more integrated and systemic approach to
risk management by public and private sectors
alike. The biggest risks acing the world today
may be rom what the report characterizes as
creeping riskssuch as global population growth
and aging that have broad implications in terms
o resource consumption, health care, and fscal
policy, and whose impact can be signifcantly
underestimated because they occur over an
extended period o time.
Other risks listed on the Forums 2010
Global Risks Landscapeinclude fscal crisis
and the social and political implications o
high unemployment, underinvestment in
inrastructure, chronic diseases, transnational
crime and corruption, biodiversity loss, cyber-
vulnerability, and geopolitical risks. The GlobalRisks Landscape, which plots major risks on
a grid in terms o their likelihood and severity,
provides a ramework or decision makers
to look at risks in an integrated manner and
the impetus to manage systemic risks more
eectively.
5A Component of the CBOK Study
Imperative 1: Sharpen Your Focus on Risk Management and Governance
8/2/2019 1584431_Global Internal Survey Report v Web Version
22/77
Develop an appropriate strategic role for internal auditing to provide new or enhancedcoverage of risk management and governance:
{ Project how this role would help enhance the maturity of the organizations riskmanagement and governance processes.
{ Tailor this strategic role to your organization, taking into account factors such asindustry, culture, geographical scope, regulatory environment, ownership of risks, and
maturity of business processes.
{ Take an incremental, step-by-step approach; do not try to do too much at once.{ Consider both assurance and consulting roles for internal auditing, taking into account
the current and desired state of maturity for the activity.
{ Use relevant IIA publications such as: The Role of Internal Auditing in Enterprise-wide Risk Management (IIA position
paper).
10 Risk Management Imperatives for Internal Auditing, a whitepaper published byThe IIAs Audit Executive Center.
{ Review The IIAs Standards pertaining to risk management and governance; take steps toensure compliance with the Standards.
Consider the possible need to educate the audit committee on relevant topics:
{ Risk management in general and the current state of risk management within theorganization.
{ The organizations governance processes.{
The desire to achieve an appropriate balance between the testing of internal controlsand the need to expand the focus of internal auditing to include governance and risk
management.
{ The longer-term strategy for the internal audit activity and the need to increase internalauditings focus on risk management and governance.
Consider a possible role for internal auditing relative to social and sustainability initiativesaffecting your organization.
Review and assess the organizations top risks and key performance indicators (KPIs)associated with the organizations core business strategy (or strategies); incorporate
appropriate coverage of this strategy (or these strategies) into the internal audit plan.
Ensure that the internal audit charter reects the role and responsibilities of internalauditing relative to the organizations risk management and governance processes.
Consider stafng and budgetary needs associated with the desired shift in focus to riskmanagement and governance; take into account necessary mix of staff, organizational
structure, and skill sets.
Imperatives for Change: The IIAs Global Internal Audit Survey in Action
6 A Component of the CBOK Study
8/2/2019 1584431_Global Internal Survey Report v Web Version
23/77
IIA StandardsRelated to Risk Management and Governance
2100 Nature of Work
The internal audit activity must evaluate and contribute to the improvement o governance, risk management,
and control processes using a systematic and disciplined approach.
2110 Governance
The internal audit activity must assess and make appropriate recommendations or improving the governance
process in its accomplishment o the ollowing objectives:
Promoting appropriate ethics and values within the organization;
Ensuring eective organizational perormance management and accountability;
Communicating risk and control inormation to appropriate areas o the organization; and
Coordinating the activities o and communicating inormation among the board, external and internalauditors, and management.
2120 Risk Management
The internal audit activity must evaluate the eectiveness and contribute to the improvement o risk
management processes.
7A Component of the CBOK Study
Imperative 1: Sharpen Your Focus on Risk Management and Governance
8/2/2019 1584431_Global Internal Survey Report v Web Version
24/77
8/2/2019 1584431_Global Internal Survey Report v Web Version
25/77
Imperative 2Conduct a More Responsive and Flexible Risk-based Audit Plan
The 2010 Global Internal Audit Survey results point to the need to enhance the risk assessment process
associated with developing the annual internal audit plan, which the Standards requires to be risk-based.
According to Standard 2010.A1, the internal audit activitys plan of engagements must be based on a
documented risk assessment, undertaken at least annually, with input from both senior management
and the board. Of note, 72.3 percent of respondents conduct an internal audit risk assessment as part of
their audit planning activity.
To be most effective, audit plans need to employ risk-based methodologies wherever possible and build
in sufcient exibility to address the organizations changing risk prole. According to survey results,
21.9 percent of respondents reported using a risk-based methodology to establish their audit plan; a
number of them suggested ample room for improvement. On the plus side, smaller organizations, inparticular, projected higher-than-average increases in the employment of risk-based audit planning.
In the survey which focused on many of the most important competencies, knowledge areas, and
audit tools or techniques related to risk-based auditing respondents ranked risk-based audit planning
as the most important audit tool or technique. Moreover, survey results indicate that the ve most
important technical skills are all key elements of risk-based auditing. They include understanding
business; risk analysis and control assessment techniques; identifying types of controls; governance,
risk, and control tools and techniques; and business process analysis. In addition, analytical review and
statistical sampling are important audit tools and techniques for risk-based auditing.
Given the speed with which major risk events can materialize, and their virtually unlimited nature,
leading internal audit activities revisit their risk assessments and audit plans more frequently than
once a year, with quarterly updates becoming more prevalent. The idea that an internal audit activity
can update its audit plan only once a year and still remain timely, responsive, and effective needs to be
challenged strongly. In the 2010 Global Internal Audit Survey, more than 60 percent of respondents
indicated that they only update their audit plans once a year; roughly a third report updating their plans
more frequently. The results are comparable to the 2006 survey.
In The IIAs Stakeholders Expectations and Perceptions Survey, more than 90 percent of respondents
either agree or strongly agree that internal audit activities should focus on emerging issues. As the
results of that survey indicate, stakeholders support the need for a more risk-based and responsiveaudit effort, one requiring additional internal audit time and resources to accomplish. In addition,
stakeholders indicated that to develop a more responsive risk-based audit plan, an internal audit activity
may need to reallocate resources from audit efforts focusing on lower-risk areas.
9A Component of the CBOK Study
8/2/2019 1584431_Global Internal Survey Report v Web Version
26/77
Imperative 2 Key Action Steps for CAEs
Assess the maturity of your risk assessment process and develop plans to extend itsapplication across the enterprise.
Develop processes within internal auditing to identify and report on emerging risks:
{ Make the identication of emerging issues a key performance responsibility of yourdirect reports.
{ Coordinate with the organizations other risk and control units to share information andviews on emerging issues.
{ Identify and use external sources of relevant data, knowledge, and business issues toassist in the identication of external emerging issues.
Assess your process for making periodic updates and revisions to your annual audit plan;develop steps to enable internal auditing to move faster and make more frequent changes to
the audit plan as the organizations risks change.
Talk to your key stakeholders (executive management and the audit committee) about theneed to make more frequent updates to the audit plan; seek agreement on an appropriate
balance between the need for internal auditing to complete the annual plan and their
desire for internal auditing to make changes in response to emerging and changing risks:
{ Consider implementation of a rolling audit plan; for example, a plan that is rolledforward to cover the next six months.
Conduct regular, frank discussions with both senior management and the audit committeeabout the nature, scope, and severity of the organizations risk prole.
Develop or rene your audit reporting to demonstrate a more direct link between changes tothe organizations risk prole and associated changes to the audit plan.
Imperatives for Change: The IIAs Global Internal Audit Survey in Action
10 A Component of the CBOK Study
8/2/2019 1584431_Global Internal Survey Report v Web Version
27/77
IIA StandardsRelated to Risk-based Audit Plans
2010 Planning
The chie audit executive must establish risk-based plans to determine the priorities o the internal audit
activity, consistent with the organizations goals.
Interpretation:
The chief audit executive is responsible for developing a risk-based plan. The chief audit executive takes into
account the organizations risk management framework, including using risk appetite levels set by management
for the different activities or parts of the organization. If a framework does not exist, the chief audit executive
uses his/her own judgment of risks after consultation with senior management and the board.
2010.A1 The internal audit activitys plan o engagements must be based on a documented risk
assessment, undertaken at least annually. The input o senior management and the board must be considered
in this process.
11A Component of the CBOK Study
Imperative 2: Conduct a More Responsive and Flexible Risk-based Audit Plan
8/2/2019 1584431_Global Internal Survey Report v Web Version
28/77
8/2/2019 1584431_Global Internal Survey Report v Web Version
29/77
Imperative 3Develop a Strategic Vision for Internal Auditing
The stage is set for the continuing evolution of internal auditing, a relatively young profession
characterized by varying levels of maturity around the world. To achieve their strategic objectives,internal audit activities need
to develop clear road maps
to help address stakeholder
expectations and navigate
a host of unknowns in the
risk, regulatory, and business
arenas. This is especially
true today with internal
auditing facing a multitude
of challenges and changesin both the profession
and the global economic
environment. While most
internal audit activities have
charters, as required by The
IIAs Standards, fewer have
mission statements and
strategies.
At this point, only 57
percent of the 2010 Global
Internal Audit Survey
respondents report having
a mission statement for
internal auditing and only
51 percent indicate that
they have an internal audit
strategy in place. As a
profession, that leaves plenty
of room for improvement.
An internal audit activityneeds a clear mission
statement as well as a
supporting strategic plan to
establish priorities, budget
effectively, and achieve its
core objectives. For example,
survey results provide CAEs
Alignment of Key Internal Audit Governance Documents
The governance structure o an internal audit activity typically will include
a charter and mission statement along with a vision statement and
a strategic plan. To clariy the purpose and relationship o these core
governance documents, a short summary o each is outlined below.
Internal Audit Charter: The internal audit charter, a requirement o IIA
Standard 1000: Purpose, Authority, and Responsibility, is the primary
governing document or an internal audit unction. It defnes the purpose,
authority, and responsibility o the internal audit activity and must be
periodically reviewed and approved by senior management and the board.
It should also include internal auditings current mission statement. Keep
in mind the need or the charter to reect actual internal audit activities as
opposed to mere legalistic wording.
Internal Audit Mission Statement: The mission statement is a high-level
narrative describing the current overall mission o the organizations
internal audit activities. In addition to reecting the core activities ointernal auditing, such as providing assurance and consulting activities,
the mission statement should convey the unique expectations o the
organizations key stakeholders, in particular those o the audit committee/
board and senior management.
Internal Audit Vision Statement: The vision statement is a succinct,
orward-looking narrative that provides a high-level strategic direction
or internal auditing. It typically describes activities that internal auditing
aspires to provide as opposed to activities that it currently oers.
Internal Audit Strategic Plan: The strategic plan is a orward-looking
document that lays out the action steps needed to achieve and implement
the internal audit vision. A strategic plan will typically cover areas such
as technology, human resources, and working practices. (See Internal
Audit Strategy Gap Analysis on page xx or additional topics.) Since
strategic plans can require more than one year to implement, they are oten
supported by annual tactical plans.
13A Component of the CBOK Study
8/2/2019 1584431_Global Internal Survey Report v Web Version
30/77
with several areas of future focus and direction that should receive careful review and consideration.
A well-conducted strategic planning exercise will allow the CAE to develop his or her mission and
consider various approaches and strategies for achieving that mission. This process is virtually identical
to the processes typically undertaken by most businesses to understand their customers and develop
products and strategies to address customer needs while pursuing internal business objectives. Internal
audit activities need to operate in the same manner.
To deal appropriately in a demanding operating environment, it is vital that the CAE, in concert with
both the audit committee and senior management, achieve agreement on the specic areas of focus for
the internal audit activity. It is also imperative for the CAE to determine the specic expectations of his
or her chief stakeholders and to develop strategies and tactics to address these expectations. Moreover,
it is critical to monitor stakeholder feedback in an ongoing, systematic manner and to update internal
audit plans as needed to address changing expectations.
Finally, a clear mission and strategy for internal auditing can add value by providing members of the
internal audit activity with a solid understanding of its future direction and focus. To effect desired
change, it is imperative that the staff have a clear understanding of the internal audit mission and
supporting strategy.
Imperative 3 Key Action Steps for CAEs
Review internal auditings mission and goals, taking into account key stakeholderexpectations.
Develop a vision for internal auditing covering a two-to-four-year time frame that includeskey areas of focus to drive the future mission.
Conduct a gap analysis to compare your current capabilities and processes with thoseneeded to achieve your vision (see example below).
Develop strategies and tactics to address perceived gaps:
{ Use IIA knowledge resources to identify possible tactics and developing practices. Identify KPIs to assess progress against key goals and suggest areas for corrective measures. Develop a comprehensive strategic plan to achieve your vision that includes key milestones
and target dates:
{ Share this strategic plan with your key stakeholders, address their concerns, and gettheir buy-in and validation.
{ Seek appropriate funding and resources to pursue agreed-upon objectives.{ Develop appropriate measures to monitor plan achievement, including periodic reporting.{ Develop a communications plan to educate staff and management on future strategies
and expected benets.
Imperatives for Change: The IIAs Global Internal Audit Survey in Action
14 A Component of the CBOK Study
8/2/2019 1584431_Global Internal Survey Report v Web Version
31/77
IIA StandardsRelated to Strategic Vision
2000 Managing the Internal Audit Activity
The chie audit executive must eectively manage the internal audit activity to ensure it adds value to the
organization.
Internal Audit Strategy Gap Analysis (Example of Planning Tool)
This planning grid is a simple and concise tool to help CAEs develop a comprehensive internal audit
strategy and convey its key elements to staff and key stakeholders. Core internal audit processes are
listed on the vertical column. For each of the core processes, you would indicate the current state of
your process, your desired vision, and the key actions and time frame needed to achieve this vision. A
more detailed project plan would support this summary analysis.
Internal Audit Activity Strategy Gap Analysis
Core Internal Audit
Processes Current State Future Vision Key Actions
Time Frame toImplement
Mission statement
Human resources
Risk assessment
Audit plan and scope
Working practices
Reporting
Technology
Perormance monitoring
IIA Standardscompliance
Core Internal Audit Processesfor Internal Auditing This list can be tailored as needed to
add or subtract processes. For example, some internal auditors may want to break out specic working
practices in more detail or add other processes such as fraud investigations.
Current State Short summary of the key actions and attributes of current internal audit processes
for each item.
15A Component of the CBOK Study
Imperative 3: Develop a Strategic Vision for Internal Auditing
8/2/2019 1584431_Global Internal Survey Report v Web Version
32/77
Future Vision A concise description of your future vision for a process. In technology, for example,
the vision might include having data mining practices and tools operating in each part of the internal
audit activity, including properly trained staff.
Key Actions Summary of high-level actions needed to achieve the future vision that is ideally
supported by a separate, more detailed project plan.
Implementation Time Frame Projected time frame to complete basic analysis.
Other information such as projected costs or prioritization of activities can be added as needed.
Imperatives for Change: The IIAs Global Internal Audit Survey in Action
16 A Component of the CBOK Study
8/2/2019 1584431_Global Internal Survey Report v Web Version
33/77
Imperative 4Focus, Monitor, and Report on InternalAuditings Value
In the world of internal auditing, perceptions matter. The value of an internal audit activity is directly
related to itsperceived contributions to the organization, with such contributions being a proxy for value
provided. This is one of the most important insights to be gained from the 2010 Global Internal Audit
Survey.
However, not all perceptions have equal weight. Those of top management and the audit committee
the chief stakeholders of an internal audit activity matter most. Knowing this, one would think that
every major aspect of a primary internal audit activity would be stakeholder-driven, with strategies and
tactics clearly based on a set of internal audit priorities established by the CAE that align clearly with
audit committee and senior management expectations. In practice, however, this stakeholder-driven
approach for managing an internal audit activity and measuring the value provided by internal auditingappears to be more the exception than the rule.
Where Internal Auditors Believe They Add Value
Most respondents believe that their internal audit activities add value to their organizations through
their independence and objectivity. They also believe they add strong value in the area of controls. In
addition, more than 70 percent agree that compliance with The IIAs Standards is a key factor in adding
value to the organizations overall governance processes. At the same time, however, survey respondents
are less condent that they are making similar levels of contribution in the key areas of risk management
and governance.
In terms of assessing the value of internal auditings contributions, survey results indicate that most
measures of internal audit value focus on more tactical activities performed by internal auditing as
opposed to stakeholder-driven activities that address the expectations of the audit committee and
senior management. According to survey results, the most common method used to measure internal
audit value today is percentage of audit plan completed, a methodology employed by 13.7 percent of
respondents. Although this measure is obviously important, it could be viewed as more of an expected
result as opposed to a strong, value-adding activity. Stakeholder and client surveys, one of the best ways
to assess value delivered, are only used by 20 percent of respondents.
Survey results also point toward future evolution in performance measurement. While the top ve
methods used today will continue to be important in the future, the balanced scorecard method
is expected to gain in importance over the next ve years. This projection suggests that CAEs will
increasingly broaden their performance measures, including tracking progress against specic
stakeholder expectations. The balanced scorecard approach to measurement can be applied to additional
types of measures while CAEs continue to employ more traditional measures of performance.
17A Component of the CBOK Study
8/2/2019 1584431_Global Internal Survey Report v Web Version
34/77
In addition, CAEs who are either currently executing a strategic plan or planning to implement one
should consider how best to measure performance related to the plan. During plan implementation,
performance measures should address the status of implementation. Following implementation,
performance measures should target the anticipated benets of the strategic planning activities.
Promoting the Value of Internal Auditing is Rated the Top IncrementalCompetency for CAEs
The ability to promote the internal audit activity was the top-ranked competency for CAEs in both the
2006 and 2010 surveys, making it a critical ongoing competency for internal audit leaders. It stands to
reason that the ability to promote the value of internal auditing within the organization could well have
a direct impact on the resources allocated to the activity. For CAEs to promote the value of internal
auditing effectively, and thus achieve success in their most important incremental core competency,
they need to rst understand how their internal audit activities add value. That means determining how
senior management and the audit committee perceive internal audit value and then dening the value
that these primary stakeholders expect internal auditing to deliver. In addition, CAEs should seek inputfrom key managers throughout the organization on how the internal audit activity can help them add
value to their areas of responsibility and to the organization as a whole. Finally, CAEs need to employ
stakeholder-driven techniques such as interviews, surveys, and balanced scorecards to measure the value
provided by internal auditing.
One nal note: The failure to dene internal audit value from a stakeholder perspective likely reects
insufcient communications and interactions with the audit committee and executive management.
Top Six Methods for Measuring Internal Auditings Value
Method
% of Usage by 2010 Global Internal Audit
Survey Respondents
Assessment by percentage o audit plan complete 13.7%
Acceptance and implementation o recommendations 11.8%
Assessment by survey or eedback rom the board, audit committee, and/or senior management
10.8%
Assessment by customer/auditee surveys rom audited departments 9.1%
Assurance o sound risk management and internal control 8.3%
Reliance by external auditors on the internal audit activity 8.3%
Imperatives for Change: The IIAs Global Internal Audit Survey in Action
18 A Component of the CBOK Study
8/2/2019 1584431_Global Internal Survey Report v Web Version
35/77
Imperative 4 Key Action Steps for CAEs
Through interviews or surveys, determine key stakeholder (executive management and theaudit committee) perceptions of internal auditing and dene the value they expect internal
auditing to provide:
{ Analyze their perceptions and develop approaches for internal auditing to addressperceived weaknesses.
{ Develop specic statements describing how internal auditing either currently delivers orwill deliver expected value.
{ Revalidate these value statements with your key stakeholders.
Develop specic performance measures to facilitate monitoring and measurement ofinternal audit activities designed to meet stakeholder-driven value expectations:
{ Consider the use of a tailored balanced scorecard.{ Do not base performance measures only on tactical activities performed by internal
auditing.
Develop a communications program to inform members of the internal audit staff about theactivitys stakeholder-driven approach to delivering value and how value will be measured.
Develop an ongoing communications plan targeting key stakeholders to convey the valuebeing delivered by internal auditing.
{ Periodically assess stakeholder perceptions of internal auditings performance and value.
19A Component of the CBOK Study
Imperative 4: Focus, Monitor, and Report on Internal Auditings Value
8/2/2019 1584431_Global Internal Survey Report v Web Version
36/77
IIA StandardsRelated to Internal Auditings Value
1300 Quality Assurance and Improvement Program
The chie audit executive must develop and maintain a quality assurance and improvement program that covers
all aspects o the internal audit activity.
Interpretation:
A quality assurance and improvement program is designed to enable an evaluation of the internal audit
activitys conformance with the Denition of Internal Auditing and theStandards and an evaluation of whether
internal auditors apply the Code of Ethics. The program also assesses the efciency and effectiveness of the
internal audit activity and identies opportunities for improvement.
2000 Managing the Internal Audit Activity
The chie audit executive must eectively manage the internal audit activity to ensure it adds value to the
organization.
Interpretation:
The internal audit activity is effectively managed when:
The results of the internal audit activitys work achieve the purpose and responsibility included in theinternal audit charter;
The internal audit activity conforms with the Denition of Internal Auditing and theStandards; and The individuals who are part of the internal audit activity demonstrate conformance with the Code of Ethics
and theStandards.
The internal audit activity adds value to the organization (and its stakeholders) when it provides objective and
relevant assurance, and contributes to the effectiveness and efciency of governance, risk management, and
control processes.
Imperatives for Change: The IIAs Global Internal Audit Survey in Action
20 A Component of the CBOK Study
8/2/2019 1584431_Global Internal Survey Report v Web Version
37/77
Imperative 5Strengthen Audit Committee Communications andRelationships
Two critical topics converge in this imperative communications and relationships with the audit
committee. While each is important individually, in combination they point to one of the most critical
imperatives for internal auditing today and in the future.
Gaining and maintaining audit committee support is essential to CAE success. On the one hand, the
audit committee needs a clear, periodic, and concise update on the internal audit activity, including both
recommendations and challenges from the CAE. On the other hand, the audit committee is the CAEs
best ally and must work through the audit committee chair to persuade management to provide internal
auditing with the budget and resources the activity needs to achieve the internal audit plan.
Top-rated Communication Skills Identied in the Survey
When asked to select their most important competencies, respondents to the 2010 Global Internal
Audit Survey rated communication skills as the top core competency for all professional ranks:
85.3 percent rated communication skills (dened as including oral,written, andpresentationabilities as well as report writing) as very important, which is the highest ranking possible.
When asked to rank the importance of key behavioral skills, 85.2 percent of surveyrespondents rated communication (dened in this instance as sending clear messages and
listening effectively) as very important.
67.1 percent of respondents ranked the ability to promote the value of internal auditing the top-ranked competency for CAEs in both the 2006 and 2010 surveys as very
important.
As the survey results indicate, the ability to communicate effectively is highly prized by all levels of
internal auditing and is a critical success factor for CAEs. IIA Standard 2060 requires the CAE to report
periodically to senior management and the board on the internal audit activitys purpose, authority,
responsibility, and performance relative to its plan. This reporting challenge includes addressing
signicant risk exposures and control issues as well as fraud risks and governance concerns. Moreover,
Standard 2020 requires a CAE to discuss the internal audit activitys plans and resource requirementswith senior management and the board and to gain approval for planned activities.
Communicating with the audit committee and audit committee chair has assumed a much higher level
of importance given the degree of audit committee concern over risk management and a challenging
economic environment. On the plus side, about 74 percent of the 2010 respondents indicate that they
meet or talk with the audit committee or audit committee chair outside of regularly scheduled meetings
compared with 63 percent in 2006. The results suggest an improvement in the relationship between
the audit committee and internal auditors in 2010 compared to 2006. Despite this positive trend,
21A Component of the CBOK Study
8/2/2019 1584431_Global Internal Survey Report v Web Version
38/77
however, a signicant number of survey respondents are not communicating regularly with the audit
committee chair or taking part in executive sessions with the audit committee. In fact, 25.9 percent
indicated that they do not interact with the audit committee chair outside of regular audit committee
meetings and 40.4 percent do not have private executive sessions with the audit committee. If internal
auditing is to serve as a trusted advisor to the audit committee and audit committee chair, CAEs must
be communicating with their chief stakeholders frequently and informally. For CAEs who alreadycommunicate regularly with the audit committee and the audit committee chair, the challenge is to
increase both the frequency and content level of those communications.
Stakeholder Survey Results Reinforce the Need for Strong Audit CommitteeConnections
The results of The IIAs stakeholder expectations survey reinforce the need for CAEs to develop strong
relationships with the audit committee, a process that includes taking an active role in the education of
audit committee members and communicating important information to them:
96.2 percent of respondents believe it is either important or highly important for internalauditing to serve as an advisor to the audit committee.
93.5 percent of respondents believe it is either important or highly important for internalauditing to serve as the eyes and ears of the audit committee.
91.3 percent of respondents agree or strongly agree that internal auditing should beactively involved in audit committee training.
To be effective, a CAE needs clear direction from the audit committee, a process that involves
comprehensive yet detailed discussions with the committee about internal auditings priorities and thecommittees expectations of the internal audit activity. As one would expect, budgets and resources will
be one of the primary focal points of these conversations. The audit committee needs to know what it
can expect from the internal audit activity if internal audit resources are cut, held constant, or increased.
A point to consider: 34.2 percent of respondents to the 2010 stakeholder survey did not believe that
their particular internal audit activity was getting the funding and support needed to be effective.
Another troubling statistic from the stakeholder expectations study deals with the organizational
positioning of the internal audit activity. Although nearly two-thirds (65.6 percent) of the respondents
view their CAE as a member of senior management, more than a third (34.4 percent) do not. It is
difcult for a CAE to serve as a strategic advisor to the audit committee and senior management, or to
serve as the eyes and ears of the audit committee, if he or she is positioned at too low a level within the
organization to participate in or be aware of signicant issues and strategic initiatives. CAEs who believe
they lack sufcient organizational stature to be effective need to discuss their positioning within the
organization with both the audit committee and senior management. Failure to do so could jeopardize
the internal audit mission.
Imperatives for Change: The IIAs Global Internal Audit Survey in Action
22 A Component of the CBOK Study
8/2/2019 1584431_Global Internal Survey Report v Web Version
39/77
A Closing Caveat
The ability to promote the internal audit activity was the top-ranked competency for CAEs in both the
2006 and 2010 surveys. Obviously, communication has much to do with the success or failure of this
promotional role. CAEs who fail to dene internal audit value from a stakeholder perspective have likely
failed to communicate and interact effectively with the audit committee and executive management.
Imperative 5 Key Action Steps for CAEs
Look for ways to enhance your relationship and stature with the audit committee:
{ Critically assess the quality, frequency, and content of interactions with the auditcommittee chair and take steps to improve these interactions, if necessary.
{ Meet with the audit committee chair to determine audit committee expectations ofinternal auditing, including the anticipated value to be delivered by internal auditing to
senior management and the audit committee as well as the organization as a whole.{ Advise the audit committee on best practices for audit committees and corporategovernance, including audit committee oversight of and interaction with internal
auditing.
Ensure that the internal audit charter reects audit committee expectations of internalauditing.
Ensure that you have frank and candid discussions with executive management and theaudit committee on the adequacy of funding and support for the internal audit activities.
Develop an annual training program for audit committee members:{ Discuss with the audit committee chair possible topics where the CAE can assist the
audit committee with educational or advisory activities.
{ Identify external training opportunities where the CAE can participate with the auditcommittee members or chair.
Develop a communications program to inform members of the internal audit staff about theactivitys stakeholder-driven approach to delivering value and how value will be measured.
Develop an ongoing communications plan targeting key stakeholders to convey the valuebeing delivered by internal auditing:
{ Support the value proposition with an appropriate balanced scorecard of internal auditactivities.
23A Component of the CBOK Study
Imperative 5: Strengthen Audit Committee Communications and Relationships
8/2/2019 1584431_Global Internal Survey Report v Web Version
40/77
IIA StandardsRelated to Communications
1111 Direct Interaction With the Board
The chie audit executive must communicate and interact directly with the board.
2060 Reporting to Senior Management and the Board
The chie audit executive must report periodically to senior management and the board on the internal audit
activitys purpose, authority, responsibility, and perormance relative to its plan. Reporting must also include
signifcant risk exposures and control issues, including raud risks, governance issues, and other matters
needed or requested by senior management and the board.
Interpretation:
The frequency and content of reporting are determined in discussion with senior management and the board
and depend on the importance of the information to be communicated and the urgency of the related actions to
be taken by senior management or the board.
2020 Communication and Approval
The chie audit executive must communicate the internal audit activitys plans and resource requirements,
including signifcant interim changes, to senior management and the board or review and approval. The chie
audit executive must also communicate the impact o resource limitations.
Imperatives for Change: The IIAs Global Internal Audit Survey in Action
24 A Component of the CBOK Study
8/2/2019 1584431_Global Internal Survey Report v Web Version
41/77
Imperative 6View Compliance with The IIAs InternationalStandards for the Professional Practice of Internal
Auditingas Mandatory, Not OptionalFor any profession, compliance with applicable professional standards is expected. For IIA members andcertied internal auditors (CIAs), compliance with the Standards is mandatory, not optional. Yet accord-ing to CAEs taking part in the 2010 Global Internal Audit Survey, only 46.3 percent of their organiza-tions were in full compliance with the Standards in 2010 compared with 59.9 percent in 2006.
This signicant decline in compliance has occurred despite two key facts:
First, more than 70 percent of the respondents to the 2010 Global Internal Audit Surveyeither agree or strongly agree that compliance with the Standards is a key factor in the
ability of an internal audit activity to add value to the governance process.
Second, 89.5 percent of the respondents to The IIAs 2010 stakeholder expectations surveyindicated that adherence to the Standards increases their condence in the internal audit
profession activities.
With nine in 10 internal audit stakeholders expressing
strong support for compliance with the Standards, it
is surprising that such a high percentage of internal
audit activities fail to give their whole-hearted support
to compliance. The ndings of the 2010 stakeholder
expectations survey appear to be at odds with at least
two of the reasons cited by CAEs for noncompliance:
Not perceived as adding value by mgt/board and
Compliance not supported by mgt/board. These
apparent contradictions may indicate the need
for further discussions among the CAE, senior
management, and the board about the Standards
and its mandatory nature as well as stakeholder
expectations in general.
Another concern is the low level of compliance withStandard 1300: Quality Assurance and Improvement
Program. Compliance with Standard 1300 improved
slightly from 2006 to 2010, as 38.4 percent indicated
full compliance in 2010 compared to 32.8 percent in 2006. However, it continues to be the standard
with the lowest level of full compliance, a strong indicator that quality and continuous improvement are
not being given sufciently high priority by CAEs.
The IIAs Standards: Why It Exists
According to The IIA, the Standardshas a
ourold purpose:
1. Delineate basic principles that representthe practice o internal auditing.
2. Provide a ramework or perorming and
promoting a broad range o value-added
internal auditing.
3. Establish the basis or the evaluation o
internal audit perormance.
4. Foster improved organizational processes
and operations.
25A Component of the CBOK Study
8/2/2019 1584431_Global Internal Survey Report v Web Version
42/77
Other reasons cited by CAEs for noncompliance with the Standards include high costs, excessive time
demands, and lack of appropriateness for small organizations. Despite these obstacles, the role of
the CAE includes overcoming challenges and bringing an internal audit activity into full compliance.
By adopting this mindset, compliance with the Standards becomes a positive reection on the
professionalism of the internal audit activity as opposed to an act of noncompliance requiring explanation.
Full compliance with the Standards helps enhance the standing of both the internal audit profession
and individual internal audit activities. Anything short of full compliance erodes the ability of internal
auditors to gain the full respect and support of their key stakeholders and to be viewed as true
professionals by these stakeholders. An organization would not accept failure on the part of its external
auditor to comply with their professional standards; likewise, compliance with internal audit standards
deserves the same high level of respect.
A thorough discussion of the Standards what it entails and what full compliance means to an
organization is a must topic for CAEs to address with the audit committee and senior management.
Above all, it is critical for internal auditing and the audit committee to be of one mind on the issue of
compliance with the Standards. With the revised Standards taking effect in 2011, now is an opportune time
for CAEs to review the Standards (including recent revisions) and assess the degree to which the internal
audit activity is in compliance. CAEs need to critically examine their operations and commit themselves
and their organizations to achieving full compliance with The IIAs Standards and Code of Ethics.
Imperative 6 Key Action Steps for CAEs
Critically assess your strategies and performance relative to the Standards and Code of Ethics:
{ Develop an action plan to become fully compliant with the Standards and Code ofEthics.
Ensure that internal audit policies and practices reect the mandatory nature of theStandards.
Conduct an in-depth brieng with the audit committee and executive management toeducate your key stakeholders on the Standards and the degree to which your internal audit
activity is in compliance; in particular, discuss how the Standards relates to quality and
compliance efforts.
Ensure that the internal audit charter reects the Standards appropriately.
Conduct appropriate continuing education on the Standards with the internal audit activity:
{ Ensure that staff members understand the Standards and Code of Ethics from both atechnical and professional perspective.
{ Establish appropriate targets for the internal audit activity with regard to professionalcertications.
Imperatives for Change: The IIAs Global Internal Audit Survey in Action
26 A Component of the CBOK Study
8/2/2019 1584431_Global Internal Survey Report v Web Version
43/77
Ensure that the audit committee receives regular reports on internal auditings continuousimprovement program and quality targets.
IIA StandardsRelated to StandardsCompliance
1010 Recognition of the Denition of Internal Auditing, the Code of Ethics, and the
Standardsin the Internal Audit Charter
The mandatory nature o the Defnition o Internal Auditing, the Code o Ethics, and the Standardsmust be
recognized in the internal audit charter. The chie audit executive should discuss the Defnition o Internal
Auditing, the Code o Ethics, and the Standardswith senior management and the board.
1300 Quality Assurance and Improvement Program
The chie audit executive must develop and maintain a quality assurance and improvement program that covers
all aspects o the internal audit activity.
Interpretation:
A quality assurance and improvement program is designed to enable an evaluation of the internal audit
activitys conformance with the Denition of Internal Auditing and theStandards and an evaluation of whether
internal auditors apply the Code of Ethics. The program also assesses the efciency and effectiveness of the
internal audit activity and identies opportunities for improvement.
1310 Requirements of the Quality Assurance and Improvement Program
The quality assurance and improvement program must include both internal and external assessments.
1320 Reporting on the Quality Assurance and Improvement Program
The chie audit executive must communicate the results o the quality assurance and improvement program to
senior management and the board.
1322 Disclosure of Nonconformance
When nonconormance with the Defnition o Internal Auditing, the Code o Ethics, or the Standardsimpacts
the overall scope or operation o the internal audit activity, the chie audit executive must disclose the
nonconormance and the impact to senior management and the board.
27A Component of the CBOK Study
Imperative 6: View Compliance with the Standards as Mandatory, Not Optional
8/2/2019 1584431_Global Internal Survey Report v Web Version
44/77
8/2/2019 1584431_Global Internal Survey Report v Web Version
45/77
Imperative 7Acquire and Develop Top Talent
Roughly half of the organizations responding to the 2010 Global Internal Audit Survey expect to recruit
more staff during the next ve years, with 42 percent projecting that they will maintain current stafflevels.
According to survey results, two types of skills are in greatest demand:
Understanding business the top technical skill for management and CAEs and thethird most important technical skill for an internal audit activity ranked as the most
important overall technical skill in both the 2006 and 2010 surveys.
Risk analysis and control assessment techniques ranked second, a reection of thetypes of risks described in Global Risks 2010, a World Economic Forum report (see box on
page 5).
2010 Ratings of Technical Skills by Perceived Importance
Total
Understanding business 72.8%
Risk analysis and control assessment techniques 72.1%
Identiying types o controls 68.4%
Governance, risk, and control tools and techniques 62.0%
Business process analysis 59.4%
Data collection and analysis tools and techniques 56.0%
Operational and management research skills 53.3%
Problem-solving tools and techniques 52.7%
Aside from retaining key staff and broadening skill sets, one of the primary challenges for internal audit
activities today is to increase the general and specic levels of business knowledge among their staff.
Internal auditors need a broader base of business knowledge to understand risks adequately. They also
need to keep up to date with industry and regulatory changes and be attuned to The IIAs Standards and
Practice Advisories.
To address their talent challenges in the years ahead, CAEs need to anticipate new activities that will
require different or expanded skill sets. In particular, they will need to nd more people schooled in risk
analysis and governance, risk and control assessments, and data collection and analysis to expand their
coverage of risk and governance issues and conduct more risk-based audits. Competition for these skill
sets will be intense.
29A Component of the CBOK Study
8/2/2019 1584431_Global Internal Survey Report v Web Version
46/77
How do CAEs typically nd new staff members? For 52 percent of the organizations taking part in
the 2010 survey, the most effective way to recruit new staff is through internal transfer from within
the parent organization. Employment agencies rank second as a source of new employees, followed by
referrals from professional associations. Direct recruitment from universities came in last as a recruiting
source, suggesting that CAEs place a premium on experience when it comes to staff additions.
Of note, nearly half the respondents do not recruit internal audit staff from within their parent
organizations. That could be a mistake from two perspectives:
First, employees already working within the organization would appear to be a great sourceof personnel with in-depth knowledge of the business and its risks. Ready access to a large
pool of quality candidates from within the parent organization has led many internal audit
activities to pursue formal or informal rotational programs within their functions.
Second, 50 percent of the respondents to The IIAs 2010 stakeholder expectations surveyeither disagree or strongly disagree that internal auditing develops top talent for the
parent organization. Although the key stakeholders of internal auditing may not necessarilylook to their internal audit activities to develop talent, the results of the stakeholder
expectations survey suggest that internal audit activities may not be viewed as top-tier
performers within their organizations.
Imperative 7 Key Action Steps for CAEs
Consider the broad talent needs of the organization and how internal auditing ts into theorganizations overall human resources strategy, especially as a grooming ground for talent.
Develop a succession plan for internal audit management that identies backup candidatesfor key positions within the activity.
Conduct an internal audit skills inventory to identify current strengths and weaknesses andproject the levels and types of talent needed over the next two to four years.
Develop specic plans to either acquire staff with strong business knowledge or trainexisting staff to achieve desired knowledge levels.
Consider establishing a formal rotation program within your organization to capitalize onbusiness-unit talent and expertise.
Identify needed skill sets that would be unrealistic to house within internal auditing but thatcan be borrowed from other departments within the parent organization or sourced from
third parties.
Consider new ways to acquire nontraditional talent such as a formal or informal rotationalprogram within your parent organization.
Imperatives for Change: The IIAs Global Internal Audit Survey in Action
30 A Component of the CBOK Study
8/2/2019 1584431_Global Internal Survey Report v Web Version
47/77
8/2/2019 1584431_Global Internal Survey Report v Web Version
48/77
8/2/2019 1584431_Global Internal Survey Report v Web Version
49/77
Imperative 8Enhance Training for Internal Audit Activities
According to the 2010 Global Internal Audit Survey, three types of technical skills stand out as being the
most important to internal auditors:
Those that help build a better understanding of the bu